Microsoft Patches a 2-decades-old Bug

The latest batch of Microsoft patches released last November 11, 2014 includes a fix for a critical 19-year-old bug (CVE-2014-6332; MS14-064) that has existed in every version of Windows since Windows 95. IBM discovered the flaw last May and only disclosed it when Microsoft was ready with a fix. IBM Security Intelligence blog’s Robert Freeman describes it as a “complex and rare ‘unicorn-like’ vulnerability found in code that IE relies on but doesn’t necessarily belong to.” An attacker can use this flaw for drive-by attack scenarios that run arbitrary codes remotely and take control of a users’ machine.

This flaw relies on the vulnerability in VBScript, which was introduced in Internet Explorer (IE) 3.0. Glaringly significant in this find is the fact that this critical buggy code had gone undetected for such a long period of time, even though numerous other bugs had been discovered and patched in the same Windows library where it resides (OleAut32). Having flown under the radar for so long may have contributed to it being impervious to the Enhanced Protected Mode (EPM) sandbox in IE 11 and the Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool, which Microsoft offers for free.

As of this writing, there is no evidence of any exploits in the wild that have taken advantage of this vulnerability yet.